I've got a facebook application which i built being an FBML application. Lately I observed that FBML is depricated which Facebook now suggests only iframe applications. Something I initially prevented because my understanding is the fact that iframes aren't valid xhtml code, and at that time I had been attempting to write 100% validated code for everything.

However also can't stand building unsupported programs, and so i go about altering my application to make use of fully made html pages while using iframe approach to display.

My pages render perfectly by themselves after i display them in their own individual window however are completely blank in Safari when made in the frame supplied by Facebook. In the beginning I had been stumped and could not understand why nothing made, until a buddy using Ie explained he was seeing the next error:

To assist safeguard the safety of knowledge one enters into this site, the writer of the content doesn't ensure it is displayed inside a frame.

And So I began searching this error, and located mountain tops of forum discussions between confused people looking to get their frame code working and determined it had been a mistake that made an appearance overnight in 2009 when IE8 was introduced. A bit more digging around the Microsoft site reavealed that it's a security feature introduced by Microsoft to avoid click-jacking.

The apparent reason for this is actually the server delivering an X-Frame-Options heading, and also the response of Opera and Ie would be to display a mistake message about security and frames, as the response of Webkit browsers for example Chrome and Safari would be to render an unhelpful blank frame. I own the hardware running the apache server and that i authored all of the html, and that i never clearly sent the X-Frame-Options header, and so i must think that my installing of php transmits this header automatically on all pages it delivers like a blanket security enhancement (either that or Apache does it).

Clearly, since I understand what causes it, I possibly could determine who's delivering the header and prevent it, but my real question is on of best practises: Click-jacking prevention is clearly a worthy cause, and also, since some a part of my server chain deems it important enough to transmit this header without asking, clearly someone thinks it may be beneficial. However, Facebook applications, by design, load content from another website inside an iframe, so I am surprised there's little if any talk will be able to find relating to this on the web. Can there be one other way for this, or perhaps is it really a situation of something which shouldn't be switched on for any page that's supposed to have been seen from inside an iframe?

In addition, if eliminating the header may be the correct approach, does anybody know why it's getting sent and where you can power it down? I am running on the Snow Leopard Server using the default installing of apache and php.

Search the Apache config files for that option

$sudo grep -ir 'x-frame-options' /etc/apache2